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Abstract. Programs with dynamic allocation are able to create and use 
an unbounded number of fresh resources, such as references, objects, files, 
etc. We propose History- Register Automata (HRA), a new automata- 
theoretic formalism for modelling and verifying such programs. HRAs 
extend the expressiveness of previous approaches and bring us to the 
limits of decidability for reachability checks. The distinctive feature of our 
machines is their use of unbounded memory sets (histories) where input 
symbols can be selectively stored and compared with symbols to follow. 
In addition, stored symbols can be consumed or deleted by reset. We show 
that the combination of consumption and reset capabilities renders the 
automata powerful enough to imitate counter machines, and in particular 
reset Petri nets, and yields closure under all regular operations apart from 
complementation. We moreover examine weaker notions of HRAs which 
strike different balances between expressiveness and effectiveness. 

1 Introduction 

Program analysis faces substantial challenges due to its aim to devise finitary 
methods and machines which are called to operate on potentially infinite pro- 
gram computations. A specific such challenge stems from dynamic generative 
behaviours such as, for example, object or thread creation in Java, or reference 
creation in ML. A program engaging in such behaviours is expected to generate 
a possibly unbounded amount of distinct, i.e. fresh, resources, each of which is 
assigned a unique identifier, a name. Hence, any machine designed for analysing 
such programs is expected to operate on an infinite alphabet of names. The latter 
need has brought about introducing automata over infinite alphabets in program 
analysis, starting from prototypical machines for mobile calculi [2T] and variable 
programs |17) . and recently developing towards automata for verification tasks 
such as equivalence checks of ML programs [22 23 a , context-bounded analysis of 
concurrent programs [713] and runtime program monitoring [T3] . 

The literature on automata over infinite alphabets is rich in formalisms each 
based on a different approach for tackling the infinitcness of the alphabet in a fini- 
tary manner (see e.g. {25] for an overview). A particularly intuitive such model 
is that of Register Automata (RA) [17124) . which are machines built around 
the concept of an ordinary finite-state automaton attached with a fixed finite 
amount of registers. The automaton can store in its registers names coming 
from the input, and make control decisions by comparing new input names with 
those already stored. Thus, by talking about addresses of its memory registers 



rather than actual names, a so finitely-described automaton can tackle the in- 
finite alphabet of names. Driven by program analysis considerations, register 
automata have been recently extended with feature of name-freshness recogni- 
tion [30], that is, the capability of the automaton to accept specific inputs just 
if they are fresh - they have not appeared before during computation. Those au- 
tomata, called Fresh- Register Automata (FRA), can account for languages like 
the following, 

C = {ai ■ ■ ■ a n G TV* | Vi ^ j. a { ^ a 3 } 

which captures the output of a fresh-name generator (TV is a countably infinite set 
of names). FRAs are expressive enough to model, for example, finitary fragments 
of languages like the 7r-calculus [30] or ML [55] . 

The freshness oracle of FRAs administers the automata to have some re- 
stricted access to the full history of the computation. In this work we further 
capitalise on the use of histories by effectively upgrading them to the status of 
registers. That is, in addition to registers, we equip our automata with a fixed 
number of unbounded sets of names (histories) where input names can be stored 
and compared with names to follow. As histories are internally unordered, the 
kind of name comparison we allow for is name belonging (does the input name 
belong to the i-th history?). Moreover, names can be selected and removed from 
histories, and individual histories can be reset altogether. We call the resulting 
machines History- Register Automata (HRA). 

The above generalisations greatly strengthen the expressive power of our ma- 
chines. For example, different input names may be stored in distinct histories 
and checked for different properties. Moreover, individual names can be removed 
from histories, thus allowing us to express consumption of resources. More specif- 
ically, we identify three distinctive features of HRAs: 

(a) The capability to reset histories, which captures languages like 

Ci = {a-owi ■ ■ ■ aow n G Af*\ Vi. Wi G Af* A a^uii G Co} 

for some fixed name ao- 

(b) The use of multiple histories, which allows one to express 

C 2 = {aia'\ ■ ■ -cLna'n G N*\ a% ■ ■ ■ a n , a[ ■ ■ ■ a' n e Co}- 

(c) The capability to select and remove individual names from histories, which 
allows us to express 

C3 = {a 1 ■ ■ ■ a n a[ ■ ■ ■ a' n , G Af* \ a\ ■ ■ ■ a n , a x • • • a' n , G Co A Vi.3j. a[ = aj}. 

The above examples, neither of which are FRA-recognisable, are used here to 
demonstrate the limitations of FRAs: although the latter are sufficiently powerful 
for expressing the semantics of programs with generative effects, they fall short of 
providing a satisfactorily rich verification toolkit for them. We cannot (a) Kleene- 
close FRAs (actually, not even concatenate them), (b) interleave them nor (c) use 
them to express non-freshness or consumption of names. 
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Let us further expand on point (c). The language £3 captures a paradigmatic 
scenario of a name generator followed by a name consumer: each consumed name 
a[ must have been created first (non- freshness), and no name can be consumed 
twice. The language is decided by the following automaton with one history. 



0,1 1,0 




The automaton starts from state qo with empty history and, for each input 
name a, if a does not appear in the history, it accepts a, stores it in the history 
and goes back to goEl Alternatively, the automaton can make an e-transition to 
consumption mode, i.e. to state q±. There, for each input name o, if a already 
appears in the history, the automaton accepts a, removes it from the history and 
goes back to giUrhus, at qq the automaton acts as a name generator and at q\ 
as a name consumer. 

Apart from the gains in expressive power, the passage to HRAs yields a 
more well-rounded automata-theoretic formalism for generative behaviours as 
these machines enjoy closure under all regular operations apart from comple- 
mentation (union, intersection, concatenation, Kleene star). On the other hand, 
the combination of the aforementioned features (a-c) of HRAs enable us to use 
histories as counters and simulate counter machines. We therefore obtain non- 
primitive recursive bounds for checking language emptiness. Given that language 
containment and universality are undecidable already for register automata 24 , 
HRAs are fairly close to the decidability boundary for properties of languages 
over infinite alphabets. Nonetheless, starting from HRAs and weakening them 
in each of the first two enumerated factors (a,b) we obtain automata models 
which are still highly expressive but computationally more tractable. Overall, 
the expressiveness hierarchy of the machines we examine is depicted in Figure [T] 
(weakening in (a) and (b) respectively occurs in the second column of the figure). 



Motivation and related work 

The motivation behind this work stems from semantics and verification. In se- 
mantics, the use of names to model resource generation originates in the work 
of Pitts and Stark on the ^-calculus [25] and Stark's PhD thesis [55]. Names 
have subsequently been incorporated in the semantics literature (see, for exam- 
ple [151411118] ). especially after the advent of Nominal Sets [12] which provided 
formal foundations for doing mathematics with names. Recent work in game se- 
mantics in particular has produced algorithmic representations of game models 

1 Thus, the "0" in the loop label means that a does not appear in any history, and 
the "1" that, once accepted, a should be added to history number 1 (the only history 
of the automaton in this case). 

2 Thus, the "1" in this transition label means that a already appears in history 1, and 
the "0" that, once accepted, a should appear in no history. 
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Fig. 1. Expressiveness of history-register automata compared to previous models (in 
italics). The inclusion A4 — > M' means that for each A € M we can effectively 
construct an A! £ M' accepting the same language as A. All inclusions are strict. 

using extensions of fresh- register automata |22l23j . thus achieving automated 
equivalence checks for fragments of ML. In a parallel development, a research 
stream on automated analysis of dynamic concurrent programs has developed 
essentially the same formalisms, this time stemming from basic operational se- 
mantics |7l3j . This confluence of different methodologies is exciting and encour- 
ages the development of stronger automata for a wider range of verification tasks, 
and just such an automaton we propose herein. 

Although our work is driven by program analysis, the closest existing au- 
tomata models to ours come from XML database theory and model checking. 
Research in the latter area has made great strides in the last years on automata 
over infinite alphabets and related logics (e.g. see [28 for an overview from 2006). 
As we show in this paper, history-register automata fit very well inside the big 
picture of automata over infinite alphabets (cf. Figure [T]) and in fact can be 
seen as a variant of Data Automata (DA) 6 or, equivalently Class Memory Au- 
tomata ( CM A ) [5] . This fit leaves space for transfer of technologies and, more 
specifically, of the associated logics of data automata. 

Overview 

The next section introduces HRAs and looks into examples and some first proper- 
ties. In Section[3]we examine regular closure properties of HRAs and in Section^] 
we prove decidability for emptiness. In Section[5]we introduce weaker models and 
in Section |5] we connect HRAs to existing automata formalisms. We conclude by 
discussing future directions which emanate from this work. 

2 Definitions and first properties 

We start by fixing some notation. Let N be a countably infinite alphabet of 
names, which we range over by a, 6, c, etc. For any pair of natural numbers 
i < j, we write for the set {i, • • • , j}, and for each i we let [i] be the 
set {1, • • • ,«}. For any set S*, we write |5| for the cardinality of 5*, V{S) for the 
powerset of S, Vf n (S) for the set of finite subsets of S, and V^${S) for the set of 
non-empty subsets of S. We write id : S — >• S for the identity function on S, and 
img(/) for the image of / : S — > T. 
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We define automata which are equipped with a fixed number of registers 
and histories where they can store names. Each register is a memory cell where 
one name can be stored at a time; each history can hold an unbounded set of 
names. We use the term place to refer to both histories and registers. 

Transitions are of two kinds: name-accepting transitions and reset transitions. 
Those of the former kind have labels of the form (X, X'), for sets of places X and 
X'; and those of the latter carry labels with single sets of places X. A transition 
labelled (X, X') means: 

— accept name a if it is contained precisely in places X, and 

— update places in X and X' so that a be contained precisely in places X' 
after the transition (without touching other names). 

By a being contained precisely in places X we mean that it appears in every place 
in X, and in no other place. In particular, the label (0, X') signifies accepting a 
fresh name (one which does not appear in any place) and inserting it in places 
X' . On the other hand, a transition labelled by X resets all the places in X, that 
is, updates each to be the empty set. Reset transitions do not accept names; they 
are e-transitions from the outside. Note then that the label (X, 0) has different 
semantics from the label X: the former stipulates that a name appearing precisely 
in X be accepted and then removed from X; whereas the latter clears all the 
contents of the places in X , without accepting anything. 

Formally, let us fix positive integers m and n which will stand for the default 
number of histories and registers respectively in the machines we define below. 
The set Asn of assignments and the set Lab of labels are: 

Asn = {H : [m+n] -> P fn (Af) | Vi > m. \H(i)\ < 1} 
Lab = V([m+n}) 2 U V([m+n}) 

For example, {(«,0) | i G [m+n]} is the empty assignment. We range over el- 
ements of Asn by H and variants, and over elements of Lab by £ and variants. 
Moreover, it will be handy to introduce the following notation for assignments. 
For any assignment H and any a G N, S C J\f and X C [m+n] : 

— We set H@X to be the set of names which appear precisely in places X in 
H, that is, H@X = f] ieX H(i) \ U^x^W- 

In particular, H@ = J\f\ {J ie [ m+n ]H(i) is the set of names which are fresh 
fori?. 

— H[X i-> S] is the update H' of H so that all places in X are mapped to S, 
i.e. H' = {(i,H(i)) | i X}u{(i,S) | i G X}. For example, H[X ^ 0] resets 
all places in X. 

— H[a in X] is the update of H which removes name a from all places and 
inserts it back in X, that is, for all i: 



H[a \nX](i) 



f H(i)\{a} i£X 
H(i) U {a} iein [m] 
>} i£X\[m] 
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Note above that operation H[a in X] acts differently in the case of histories 
(i < m) and registers (i > m) in I: in the former case, the name a is added 
to the history H(i), while in the latter the register H(i) is set to {a} and its 
previous content is cleared. 

We can now define our automata. 

Definition 1. A history-register automaton (HRA) of type (m,n) is a 
tuple A — (Q,qo,H ,5,F) where: 

— Q is a finite set of states, qo is the initial state, F C Q are the final ones, 

— Ho G Asn is the initial assignment, and 

— (S C Q x Lab x Q is the transition relation. 

For brevity, we shall call A an (m, n)-HRA. 

x x' x 

We write transitions in the forms q — > q' and q — > q', for each kind of tran- 
sition labels. In diagrams, we may unify different transitions with common source 

XX' YY' X.X' j Y,Y' 

and target, for example q — -> q' and q — — > q' may be written q — ; ' — > q': 

moreover, we shall lighten notation and write i for the singleton {i}, and ij for 

We already gave an overview of the semantics of HRAs. This is formally 
defined by means of configurations representing the current computation state 
of the automaton. A configuration of A is a pair (q, H) G Q, where: 

Q = Q x Asn 

From the transition relation <5 we obtain the configuration graph of A as follows. 



Definition 2. Let A be an (m,n)-HRA as above. Its configuration graph 

{Q, — >), where — > C Q x (A/"U {e}) x Q, is constructed by setting (q,H) 
(q' , H') just if one of the following conditions is satisfied. 

x x' 

— x = a e Af and there is q - L -> q' E 8 such that a € H@X and H' = 
H[a inX']. 

— x — e and there is q — > q' G S such that H' = H[X i->- 0]. 
The language accepted by A is: 

C(A) = {i»eF | {q , H ) ^ (q, H) and q E F} 

where — » is the reflexive transitive closure of — > , that is, q Xl '" Xn >> q> jf 
q — > >q . 

Note that we use e both for the empty sequence and the empty transition 
so, in particular, when writing sequences of the form x\ ■ ■ ■ x n we may implicitly 
consume e's. 
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Example 3. The language L\ of the Introduction is recognised by the following 
(1, 1)-HRA with initial assignment {(1, 0), (2, ao)}. 

04 
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The automaton starts by accepting ao, leaving it in register 2, and moving to 
state q\. There, it loops accepting fresh names (appearing in no place) which it 
stores in history 1. From q\ it goes back to q\ by resetting its history. 
We can also see that the following HRAs, of type (2,0) and (1,0), accept the 
languages £ 2 and £3 respectively. 




0,2 / 1,12 



Both automata start with empty assignments. 

As mentioned in the introductory section, HRAs build upon (Fresh) Register 
Automata [17124130] . The latter can be defined within the HRA framework as 
follows H 

Definition 4. A Fresh- Register Automaton (FRA) ofn registers is a (l,n)- 
HRA A = (Q,qo, Ho, S, F) such that: 

— Ho(l) = Ui-^o(i) and, for all (q,£,q') G 5, there are X,X' such that £ = 
(A, X') and 1 G X'; 

- for all (q, {1}, X', q') G S, there is also (q, ®,X',q') G S. 

A Register Automaton (RA) ofn registers is a (0,n)-HRA with no reset 
transitions. 

Thus, in an FRA all the initial names must appear in its history, and the 
same holds for all the names the automaton accepts during computation (1 G X'). 
As, in addition, no reset transitions are allowed, the history effectively contains 
all names of a run. On the other hand, the automaton cannot recognise non- 
freshness: if a name appearing only in the history is to be accepted at any point 
then a totally fresh name can be also be accepted in the same way. Now, from 30 
we have the following. 

Lemma 5. The languages L\,Li and £3 are not FRA-recognisable. 

Proof. Ci was explicitly examined in [30]. For £2 and £3 we use a similar argu- 
ment as the one for showing that £0 * £0 is not FRA-recognisable [3D] . □ 

3 The definitions given in [17I24I3U] are slightly different but they can routinely be 
shown equivalent. 
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Bisimulation Bisimulation equivalence, also called bisimilarity, is a useful tool 
for relating automata, even from different paradigms. It implies language equiv- 
alence and is generally easier to reason about than the latter. We will be using 
it avidly in the sequel. 

Definition 6. Let A4 = (Qi,qoi, Hot, Si, Fi) be (m,n)-HRAs, for i = 1,2. A 
relation R C Qi x Qi is called a simulation on A\ and A2 if, for all {q\, (72) £ R, 

— if qi q\ and 7Ti (q[ ) £ F\ then q% q' 2 for some 1X\ (q' 2 ) £ F2, where 7Ti 
the first projection function; 

— if qi — » > q[ then q 2 — * > q'2 f or some ((}[, q' 2 ) £ R. 

R is called a bisimulation if both R and R^ 1 are simulations. We say that 
A\ and A2 are bisimilar, written Ai ~ A2, if there is a bisimulation R such 
that ((qoi,H 01 ),(q 2,H 2)) £ R- 

The following is a standard result. 

Lemma 7. If Ai ~ A 2 then C{Ai) = C(A 2 ). 

As a first taste of HRA reasoning, we demonstrate a technique for simulating 
registers by histories in HRAs. The idea is to represent a register by a history 
whose size is always kept at most 1. There are, however, some technicalities. 
To ensure that histories are effectively kept in size < 1 they must be cleared 
before inserting names. This in turn complicates the conditions dictating when 
a transition can be taken as such conditions may depend on the deleted names. 

Propositions. Let A = (Q, qo, H , S, F) be an (m,n)-HRA. There is an (m+2n,0)- 
HRA A' such that A ~ A'. 

Proof. To each of the n registers of A we assign a pair of histories in A'. The 
reason we need two copies of each register is so that, for each transition with 
label (X, X'), we use one copy for the name comparisons needed for the X part 
of the label (old copy), and the other copy for the assignments dictated by X' 
(new copy). Note that assigning names in the same copy would mean that our 
histories would grow to sizes greater than 1. After the assignment, the old copies 
of X and X' are garbage. The correspondence is completed by pre-composing 
each such transition with a reset of all garbage. 

Formally, A' — (Q' ,q' , Hq,S' , F') where elements of Q' are of the form (q, f) 
with q € Q and / : [m+1, m+Ti] — > [m+l,ra+2n] is such that, for each i, f(i) S 
The role of / is to record which copy of the two registers is currently 
used. We set / to be the complement of /, that is, the function defined by f(i) = 
n + 2i — f(i). We write f> : [m+n] — > [m+2n] for the function given by = i 
if i £ [m] and f(i) otherwise. Moreover, q' Q = (q , id), F' = {(q, f ) \ q £ F}, and 
Hq is H so extended that H' (i) = for alH > m+ n. Finally, we include in 8' 
precisely the following transitions. 

4 Since each (X, X')-labelled transition in 8 decomposes into two transitions in 8' , we 
also need dummy states in between but we prefer to gloss over this easy point for 
economy. 
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— For each q — % q 1 G 6, add (q, f) • - X — — > (<?',/') where Y = 
[m+l,m+2n] \ img(/), and /' is given by: /'(i) = /(£) if i e X U X' and 
f'(i) = f(i) otherwise. 

— For each q q' G S, add (g, /) - ^> (q' . /). 

Setting R = {((q, H), (q, f, H')) \ H = H' o /t}, we have that R witnesses 
bisimilarity. □ 

The above reduction makes substantial use of reset transitions and of tran- 
sitions which move names between histories. As shown in [5], it is possible to 
express register behaviour with histories and without resets, using a so called 
colouring technique. The latter is demonstrated in Example [55] of Section [5] but 
we do not have a general concrete reduction for HRAs. More In generally, though, 
the technique obscures the intuition of registers and produces automata which 
need close examination even for simple languages like the one which contains all 
words ai ■ ■ ■ a n such that <2j ^ aj+i for all i (see Examplel25p. As, in addition, it is 
not applicable to the weaker unary HRAs we examine in Section [SJ we preferred 
to explicitly include registers in HRAs. Another design choice regards the use of 
sets of places in transitions instead e.g. of single places. Although the latter de- 
scription would lead to an equivalent and probably conciser formalism, it would 
be inconvenient for combining HRAs e.g. in order to produce the intersection of 
their accepted languages. In fact, our formulation follows M-automata |17) . an 
equivalent presentation of RAs susceptible to closure constructions. 

Determinism We close our presentation here by describing the deterministic 
class of HRAs. We defined HRAs in such a way that, at any given configuration 
(q, H) and for any input symbol a, there is at most one set of places X that 
can match a, i.e. such that a G H@X. As a result, the notion of determinism in 

HRAs can be ensured by purely syntactic means. Below we write q — » q' G 8 
if there is a sequence of transitions q — ^ • • • q' in i5 such that X — 1J" =1 X{. 
In particular, q —fr q G 5. 

Definition 9. Let A be an HRA. We say that A is deterministic if, for any 

reachable configuration q and any name a, if q — » ■ — > q\ and q — » • — > 
then gi = ?2 ■ 

We say that A is strongly deterministic if q ■ x ^ Yl ' Xl ) ^ g § an d 
q .2% . X \ Y2 - X2 } q 2 e § imply qi = q 2) Y\ = Y 2 and X\ = X 2 . 

Lemma 10. If A is strongly deterministic then it is deterministic. 



3 Closure properties 

History-register automata enjoy good closure properties with respect to regular 
language operations. In particular, they are closed under union, intersection, 
concatenation and Kleene star, but not closed under complementation. 
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In fact, the design of HRAs is such that the automata for union and intersec- 
tion come almost for free through a straightforward product construction which 
is essentially an ordinary product for finite-state automata, modulo reindexing 
of places to account for duplicate labels (cf. 17 ). The constructions for Kleene 
star and complementation are slightly more involved. We shall need the following 
technical gadget, which is fully presented in Appendix 151 Given an (m, n)-HRA 
A and a sequence w of k distinct names, we construct a bisimilar (m, n+fc)-HRA, 
denoted Aftxw, in which the names of w appear exclusively in the additional k 
registers, which, moreover, remain unchanged during computation. The construc- 
tion will allow us, for instance, to create feedback loops in automata ensuring 
that after each feedback transition the same initial configuration occurs. 

Lemma 11. Let A be an (m,n)-HRA with initial assignment Hq and w = 
a± • ■ - afc a sequence of distinct names. We can effectively construct an (m, n+k)- 
HRA A fix k with initial assignment H' such that: 

— H^m+n+i) = ai for all i £ [k], and Hq(i) = Hq(i) \ {a\, • ■ ■ ,a/c} for all 
i G [m+n]; 

— for all reachable configurations (q,H) of Aftxw and all i > m+n, H(i) = 

We can now show the following. 

Proposition 12. Languages recognised by HRAs are closed under union, inter- 
section, concatenation and Kleene star. 

Proof. We show concatenation and Kleene star only. For the former, consider 
HRAs Ai = (Qi,qoi, Hoi,Si, Fi), i = 1,2, and assume wlog that they have com- 
mon type (m,n). Let w be an enlistment of all names in Hq2 and construct 
A\ = Aifixw, for i = 1,2. Then, C{A\) * £(^2) is the language recognised by 
connecting A[ and A' 2 serially, that is, the automaton obtained by connecting 
each final state of A[ to the initial state of A' 2 with a transition labelled [m+n] , 
and with initial/final states those of A[/ 'A' 2 respectively. 

Finally, given an (m, n)-HRA A and an enlistment w of its initial names, we 
construct an automaton A' by connecting the final states of A fix w to its initial 
state with a transition labelled [m+n]. We can see that C(A') = C(A)* . □ 

In the next section we shall see that, while universality is undecidable for 
HRAs, their emptiness problem can be decided by reduction to coverability for 
transfer-reset vector addition systems. In combination, these results imply that 
HRAs cannot be effectively complemented. In fact, the following holds. 

Lemma 13. HRAs are not closed under complementation. 
The proof is in the following example, adapted from |20) . 

Example 14- Consider the following language and its complement. 

£4 = {w € J\f* w =/= e A not all names in w occur exactly twice in it } 
£4 = {w G J\f* I all names in w occur exactly twice in it } 

£4 is accepted by the following (2, 0)-HRA, where "— " can be any of 0, {1}, {2}. 
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The automaton non-deterministically selects an input name which either appears 
only once in the input or at least three times. 

However, £4 is not HRA-recognisable. For suppose it were recognisable (wlog) 
by an (m, 0)-HRA A with k states. Then, A would accept the word 



where all a^'s are distinct and do not appear in the initial assignment of A. 
Let p = P1P2 be the path in A through which w is accepted, with each pi 
corresponding to one of the two halves of w. Since all a^s are fresh for A, the 
non-reset transitions of p\ must carry labels of the form (0, X), for some sets X. 
Let q be a state appearing twice in pi, say p\ — Pn(q)pi2(q)pi3- Consider now 
the path p' = p' x P2 where p' x is the extension of p\ which repeats P12, that is, 
p'l = Pn(q)pi2(q)pi2(q)pi3- We claim that p' is an accepting path in A. Indeed, 
by our previous observation on the labels of p±, the path p\ does not block, i.e. it 

cannot reach a transition q\ — ; — > q2, with X ^ 0, in some configuration (qx, H±) 
such that Hi@X = 0. We need to show that P2 does not block either (in p'). 
Let us denote (q, Hi) and (q, H2) the configurations in each of the two visits of 
q in the run of p on uu; and let us write {q, H3) for the third visit in the run of 
Pi , given that for the other two visits we assume the same configurations as in p. 
Now observe that, for each non-empty X C [m], repeating p\2 cannot reduce the 
number of names appearing precisely in X, therefore \H2@X\ < \H3@X\. The 
latter implies that, since p does not block, p 1 does not block either. Now observe 
that any word accepted by w' is not in £4, as p\ accepts more than k distinct 
names, a contradiction. 

4 Emptiness and Universality 

We now turn to the question of checking emptiness. The use of unbounded his- 
tories effectively renders our machines into counter automata: where a counter 
automaton would increase (or decrease) a counter, an HRA would add (remove) 
a name from one of its histories, or set of histories. Nonetheless, HRAs cannot 
decide their histories for emptiness, which leaves space for decidability^ The 
capability for resetting histories leads us to consider Transfer-Reset Vector Ad- 
dition Systems |8|2j (i.e. Petri nets with reset and transfer arcs) as equivalent 
formalisms for checking emptiness. 

A Transfer- Reset Vector Addition System (TR-VASS) of m dimen- 
sions will be a tuple A — {Q, S) where Q a set of states and 



5 Recall that 2-counter machines with increase, decrease and check for zero operations 
are Turing complete. 



W = <2i • • • dfe a\ ■ ■ ■ Qk 
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a transition relation. Each dimension of A corresponds to an unbounded counter. 
Thus, a transition of A can either update its counters by addition of a vector 
v 6 {—1, 0, 1}"\ or transfer the value of one counter to another, or reset some 
counter. 

Formally, a configuration of A is a pair (q, v) € Q x N m consisting of a state 
and a vector of values stored in the counters. The configuration graph of A is 
constructed by including an edge (q, v) — > (q',v') if: 

— there is some (q, v",q') £ 5 such that v' = v + v", or 

— there is (q,i,j 7 q') G S such that v' = (v[j h-> Vi+Vj])[i H> 0], 

— or there is some (q, i, q') £ 6 such that v 1 =?[iH>0]; 

where we write v i for the ith dimension of v, and v[i v'\ for the update of v 
where the «-th counter is set to v' . An R-VASS is a TR-VASS without transfer 
transitions. 

The control-state reachability problem for TR-VASSs is defined as follows. 
Given a TR-VASS A of m dimensions, a configuration (qa,vo) and a state q, 
is there some v e N m such that {qo,vo) — » {q,v)7 In such a case, we write 
(A,q , v ,q) e Reach. 

Fact 15 f p27IH0j ) Control-state reachability for TR-VASSs and R-VASSs is 
decidable and has non-primitive recursive complexity. 

We next reduce HRA emptiness to TR-VASS control-state reachability. By 
Proposition |H1 we can consider HRAs without registers. Below we write for the 
vector • • ■ and Si for 0[i H> 1] . 

Proposition 16. Emptiness is decidable for HRAs. 

Proof. For each (m,0)-HRA A = (Q.q ,H Q ,5,F), we construct a TR-VASS A' 
with 2™ dimensions: one dimension X for each X C [m]. The dimension will 
be simply garbage collecting. We assign to each state of A a corresponding state 
in A'. Moreover, 

— we map each q X ' X > q 1 to a pair q ^-s> • — q 1 , where = <5y if V ^ 
and otherwise (Y = X, X'); 

— we map each transition q ^> q' of .4 to a sequence of transitions q Xl ' Yl > 

■ ■ ■ — — ^> in ^4' , where X\ , . . . , Xi an enumeration of all X$ such that 
I.nl^ 0, and K ( = V, \ V; 

We also add in A 1 a state qp and transitions q ^ qF for each q £ F, and set 
«o = {(X, |F @X|) | [m]}U{(0,0)}. 

^4' simulates the behaviour of A so that, whenever A is at a configuration (g, if), 
A' is at a configuration (q, v) such that, for all non-empty X C [m], \H@X\ = . 
The transitions above capture exactly that. At a transition label (X, X'), a name 
appearing precisely in X is moved precisely to X'. On the other hand, the effect 
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of a reset label X is more complicated: all names appearing precisely in some 
set of places Xi such that Xi fl X ^ will see themselves transferred precisely 
toXi\X. 

We have that C(A) ^ iff there is an accepting run of A, that is, a run from 
the initial to some final configuration which does not block, i.e. it does not 

reach a transition q q' in some configuration (q,H) such that |£Z"@X| = 0. 
Equivalently, C(A) ^ iff (A 1 , qo, vq, (?f) G Reach. Now we use FactfTol □ 

Doing the opposite reduction we can show that emptiness of even strongly 
deterministic HRAs is non-primitive recursive. In this direction, each R-VASS of 
m dimensions is simulated by an (m, 0)-HRA so that the value of each counter i 
of the former is the same as the number of names appearing precisely in history 
i of the latter. 

Proposition 17. Checking emptiness of strongly deterministic HRAs is non- 
primitive recursive. 

Proof. Let A be an R-VASS of m dimensions such that, for each transition 
q — > q' , the number of non-zero dimensions of v is 1. Moreover, suppose A is 
deterministic in the following sense. For each state q and transitions q — ^ q\ 
and q — ^ q 2 , 

— if t\ = Si, some i, then t\ = t%, and 

- if ti = t 2 then qi = q 2 . 

By [37J , control-state reachability for such R-VASSs is non-primitive recursively 
Let (.4, go, Vq, qp) be such an instance. We construct a strongly deterministic 
(m, 0)-HRA A' where each counter i of A corresponds to the z-th history of A' . 
For each i, j we write i®j for i+j mod m, and i G j for i—j mod m. For each 
dimension i with VQi = n, we pick names a 1 , a\, ■ ■ ■ , a l n , all pairwise distinct. The 
names a\, ■ ■ ■ ,a l n will be used for representing the value n. On the other hand, 
each a 1 will be used in reset transitions in order to ensure determinacy. We write 
i for the set {i Q 1, i, i © 1}. Thus, the initial assignment for A' is given by: 

ff (<) = {oi,---,aj l }U{o iel ,a i J o < ® 1 } 

In particular, for each i £ [m], H @{i} — {a\, • • • , a l n } and H @i = {a 1 }. For all 
other sets X, H@X — 0. We let go and qF be the initial state and final states 

of A' respectively. Moreover, we map each transition q q' to q -^f q'; each 

q — ^> q' to q ^—^t q'\ and q A g' to a sequence of transitions: 

{i} 7eT\{i},ieT A{*}>* Wt\{i},Wt , 
q > >■ > > q 

6 In [27] we can assume Minsky machines which only branch in the form 
"if c=0 then goto 1 ; c — ;" and are therefore deterministic in the above sense, while 
Schnoebelen's auxiliary constructions are also deterministic. 
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The effect of the above is to remove all names appearing precisely in history 
i, and proceed with a three-name code which distinguishes this reset from any 
other transition and restores the missing a J s from history i. Note that the deter- 
minacy of A combined with the way we translate reset transitions, imply strong 
determinacy of A'. We can see that A' simulates the behaviour of A by storing 
the value of each counter i as the number of names appearing exactly in its 
history i. Hence, (A,qo,vo,qp) E Reach iff C(A') ^ 0. □ 

We now turn to the questions of universality and language containment. Note 
first that our machines directly inherit undecidability of these properties from 
register automata [23] . 

Lemma 18. Universality is undecidable for HRAs. 

Nonetheless, as we next show, the above properties are decidable in the de- 
terministic case. In order to simplify our analysis, we shall be reducing HRAs 
to the following compact form where e-transitions are incorporated inside name- 
accepting ones. As we show below, no expressiveness is lost by this packed form. 

A packed (m,0)-HRA is a tuple A — (Q, qo, S, Ho, F) defined exactly as an 
(m, 0)-HRA, with the exception that now: 

S C Q x V{[m)) x V([m]) x V([m]) x Q 
We shall write q — ; — ' — > q' for (q,Y,X,X',q') E 5. The semantics of such a 

Y X X' 

transition is the same as that of a pair of transitions q — > ■ — -> q' of an 
ordinary HRA. Formally, configurations of packed HRAs are pairs (q,H), like 
in HRAs, and the configuration graph of a packed HRA A like the above is 

constructed as follows. We set (q, H) (q, H') if there is some q Y ' X ' X > q' m 
S such that, setting H Y = H[Y i-)- 0], we have a E H Y @X and H' = H Y [a in A']. 

Lemma 19. Let A be an (m,0)-HRA. There is a packed (m,0)-HRA A' such 
that A ~ A'. 

Proof. Let A = (Q, q , S, H , F). We set A' = (Q, q , 5', H Q , F') where: 

F' = {q e Q | 3q G F,Y. q 1 ^ q E 3} 

5' = {(q,Y,X,X',q') \ q ^ ■ q' e 5} 

Bisimilarity of A and A' is witnessed by the identity on configurations, i.e. R = 
{((q, H), (q, H))} is a bisimulation. □ 

We shall decide language containment via complementation. In particular, 
given a deterministic packed HRA A, the automaton A' accepting the language 
Af\£(A) can be constructed in the analogous way as for deterministic finite-state 
automata, namely by obfuscating the automaton with all missing transitions 
and swapping final with non-final states. Finding the missing transitions is easy: 
for each state q and each set X such that there is no transition of the form 

Y~X\Y X' §~X 

q — ; '- — > q' in A, we add a transition q — — qp to some sink final state qF. 
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Lemma 20. Deterministic packed HRAs are closed under complementation. 

Proof. Let A — (Q,qo,5,Ho,F) be a packed (m, 0)-HRA. Following the above 
rationale, we construct a packed (m, 0)-HRA A' = (Q tfcl {?f}, <Zo> 6 U 5', H , F'), 
where F 1 = {qp} U (Q\F) and <5' is given as follows. For each q £ Q and all 

X such that there is no q — — > q' add a transition q — — qp in 5'. In 

addition, S' contains a transition qp - — > g^?. 

We claim that £(*4') = A/"* \ £(./4). Indeed, if s S and s is accepted at a 

state in Q \ F then, since .4 is deterministic, we have s £ C(A). Otherwise, if 
s = s'as" with a the point where a transition to the sink state is taken then, 
upon acceptance of s' by A, a appears precisely in some histories X such that 
A has no transition to accept a at that point. Thus, s £ C{A). 
Conversely, if s € N* \ C(A) then either s induces a configuration in A which 
does not end in a final state, or s = s'as" where s' is accepted by A but at that 
point a is not a possible transition. We can see that, in each case, s € C(A'). □ 

Combining the above with the product construction, and using Proposition ! 161 
and the fact that language emptiness can be reduced to language containment, 
we obtain the following. 

Proposition 21. Language containment and universality are decidable for de- 
terministic HRAs, with non-primitive recursive complexity. 

5 Weakening HRAs 

The complexity of HRAs is too high for practical verification purposes. For exam- 
ple, deciding emptiness requires complexity which is not primitive recursive. It 
is therefore useful to seek for restrictions thereof which allow us to express mean- 
ingful properties and, at the same time, remain at feasible complexity. As the 
complexity of HRAs stems from the fact that they can simulate computations of 
R-VASSs, our strategy for producing weakenings is to restrict the functionalities 
of the corresponding R-VASSs. We follow two directions: 

(a) We remove reset transitions. This corresponds to removing counter transfers 
and resets and drops the complexity of control-state reachability to exponen- 
tial space. 

(b) We restrict the number of histories to just one. We thus obtain polynomial 
space complexity as the corresponding counter machines are simply one- 
counter automata. This kind of restriction is also a natural extension of 
FRAs with history resets. 

Observe that each of the aspects of HRAs targeted above correspond to the 
distinctive features (a,b) we identified in the Introduction, witnessed by the 
languages £i and £2 respectively. We shall see that each restriction leads to 
losing the corresponding language. 
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Our analysis on emptiness for general HRAs from Section 0] is not applicable 
to these weaker machines as we now need to take registers into account: the 
simulation of registers by histories is either not possible or not practical for 
deriving satisfactory bounds. A direct analysis is therefore necessary. 

Solving emptiness for each of the weaker versions of HRAs will involve reduc- 
tion to the name-free algorithmic setting of a counter machine. In both cases, the 
reduction shall follow the same concept of simulating computations with names 
symbolically. We present the method in full rigour in Appendix lAl and specialise 
it for each of the weaker HRAs. 

5.1 Non- reset HRAs 

We first weaken our automata by disallowing resets. We show that the new 
machines retain all their closure properties apart from Kleene-star closure. The 
latter is concretely manifested in the fact that language L\ of the Introduction is 
lost. On the other hand, the emptiness problem reduces in complexity to double 
exponential space, or exponential space for machines with histories only. 

Definition 22. A non-reset HRA of type (m,n) is an (m,n)-HRA A = 
(Q, qo, Hq, S, F) such that there is no q — > q' G 5. 

We call such a machine a non-reset (m, n)-HRA. In an analogous fashion, a 
VASS of m dimensions (an m-VASS) is an R-VASS with no reset transitions. 
For these machines, control-state reachability is significantly less complex. 

Fact 23 (|19,26j) Control-state reachability for VASSs is ExpSpace- complete. 

Closure properties Of the closure constructions of Section [3] we can see that 
union and intersection readily apply to non-reset HRAs. On the other hand, 
concatenation does use a reset but it can be avoided. More specifically, we add 
empty transitions from the final states of A'i to the initial state of a version 
of A' 2 which keeps the placed used by A[ untouched and uses its own separate 
copy of places, obfuscating its own transitions so as to capture accidental match- 
ings of the legacy names of A[ . Unfortunately, this solution cannot be used for 
Kleene closure as in each loop the automaton needs to find a fresh copy of its 
initial configuration, and be able to use it (in the previous construction, the final 
assignment of A[ is lost). In fact, using an argument similar to that of [5] Propo- 
sition 7.2], we can show that the language L\ is not recognised by non-reset 
HRAs and, hence, the latter are not closed under Kleene star. Finally, note that 
the HRA constructed for the language £4 in Example [TJ] is a non-reset HRA, 
which implies that non-reset HRAs are not closed under complementation. 

Emptiness We next reduce emptiness for non-reset HRAs to control-state reach- 
ability for VASSs, using the symbolic construction from Appendix [A] The reduc- 
tion works by mapping each non-empty subset of [m] to a VASS counter. This 
produces a VASS of exponential size, and of square size if the original non-reset 
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HRA contained no registers. The latter discrimination is due to the fact that in 
the general case the status of registers needs to be embedded inside states. For 
the converse direction, we reduce reachability for a VASS of 2 m — 1 counters to 
emptiness for an (m, 0)-automaton: we map each counter to a non-empty subset 
of[m]0 

Proposition 24. Emptiness checking for non-reset HRAs is in 2-ExpSpace. 
For non-reset HRAs without registers, it is ExpSPACE-comp/eie. 

Proof. We reduce from and to VASSs. Let A = (Q,qo,Ho,5,F) be a non-reset 
(m, n)-HRA. We follow the construction from Appendix [Alto obtain a simulating 
VASS A' = (Q', 6') with ml = 2 m - 1 counters. The size N' of each reachability 
instance (A',(qo,S(Ho)),Vo,(q,(f>)) simulating emptiness of A is in 0(2^11 ). 
Now, in the specific case of n = 0, the factor \S(m, n)\ trivialises to 1 so, using 
also the fact that there are no resets: 

N'< |^|-2(21og(|Q|.(m'+l))+log(3 m ')) + ||( (7 o,^o,<z)|| 

Moreover, we do not need to take ml to be 2 m — 1; it suffices to let ml be the 
number of non-empty subsets of [to] appearing in 5, that is, all such Y such that 
there is some (q, X, X' , q) £ 5 with Y G {X, X'}. It is only these subsets that we 
need to track with counters. This implies ml < 2\S\ and therefore N' 6 0(||„4|| 2 ). 
Thus, from Fact [23] we have that emptiness for A can in general be checked in 
double exponential space, and in exponential space if A has no registers. 
Conversely, let A = (Q,S) be an to- VASS and (A,qo,vo,q) a reachability in- 
stance. We construct a non-reset (m',0)-HRA A' — (Q', (qo, 0), Hq, 5', {(q, 0)}), 
with to' = log(m+l), as follows. Set Q' = Q x {— 1,0, l} m_1 , pick a bijec- 
tion (j) : [to] — > TU$ ([to']) and an initial assignment Hq such that, for each i, 
\H @cj)(i)\ — voi and set: 

5' = {((<?, 0), 0,0,(^,0)) | (q,d,q')£5} 
U{((g,O),0O-),0,( 9 ',O«)) | (q,0(-l)v,q')ES} 
U{((q,d)AHj),(q\v)) | (q,0(mq')&S} 
U {((<?, 6(-l)v), cj>{j), 0, (q, 0v))} U {((q, 0(l)v), 0, 00'), (g, 0u))} 

where, in each case, the marked (1) or (-1) appears in the j-th dimension. Thus, 
we encode each counter i of A to a set of histories (j>(i) in A'. Each configu- 
ration (q,v) of A is simulated by a configuration ((q,0),H) of A' such that 

Vi = \H@4>(i)\ for all i. Each transition g ^> q' is then mapped to a sequence of 

7 Note that such a (2 m -l)-to-m reduction would not work for general R- VASSs (hence 
the different reduction in Proposition I17p . as resets would misbehave. More specifi- 
cally, in HRAs a single reset may affect more than one subsets of [m] (e.g. resetting 
{1,2} clears not only {1,2}, but also {1} and {2}) and, in addition, resets cause 
virtual transfers of names (e.g. resetting history 1 transfers all names appearing 
precisely in histories 1,2 to history 2). 
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transitions (q, 0) — > ■■■ (q',0) where, for each i, £i = (</>(i),0) if Vi = — 1; 
£i = (0, 4>{i)) if Vi = 1; and ^ is empty otherwise (actually, we drop it altogether). 
In particular, to specify the transitions that need to be taken between (q, 0) and 

(q' , 0) we use the extra vector component of states. E.g. a transition q — — — ^— > q' 
is mapped to: 

(ff.OOOO) ^ (g',00(-l)l) (g',0001) ^ (,',0000) 
By construction, we have (A, qo, Vq, q) G Reach iff C(A') ^ 0. Moreover, 

\\A'\\ = \S'\ ■ (2 log \Q'\ + 2 log(m + l)) + || (q o ,0,H Q ,q, 0)|| 
and < \S\ ■ m, from which we obtain \\A'\\ G 0(||^l|| 2 ). □ 

Non-reset HRAs without registers We now show that non-reset HRAs with his- 
tories only are equi-expressive as general non-reset HRAs. The equivalence we 
prove is weaker than the one we proved for general HRAs: we show language 
equivalence rather than bisimilarity. Our proof below is based on the colouring 
technique of [5]. Before we proceed with the proof, let us first demonstrate the 
technique through an example. 

Example 25. It is easy to see that the following language 

£5 = {oi • • • a n G Af* I Vi. di ^ a i+ i} 

is recognised by the (0, 1)-HRA on the left below. What is perhaps not as clear 
is that the (2,0)-HRA on the right, call it A, accepts the same language. 

0,1 0,1/2,1 0,2/1,2 




0,1 / 1,1 



Note first that, by construction, it is not possible for A to accept the same 
name in two successive transitions: if we write (A, A') for the labels of incoming 
transitions to go and (Y, Y') for the outgoing, we cannot match any A' with some 
Y, and similarly for qy. This shows C(A) C £5. To prove the other inclusion, 
we need to show that for every word w = ay ■ ■ ■ a n G C5 there is an accepting 
run in A. For this, it suffices to find a sequence l\, ■ ■ ■ ,£ n of labels from the set 
{(0, 1), (0, 2), (1, 1), (1, 2), (2, 1), (2, 2)}, say & = (A l; A-), satisfying: 

1. For any i, X[ ± X i+1 . 

2. If a,i — a.j , i < j, and for no i < k < j do we have ai — then X[ = Xj. 

3. For any i, if aij^aj for all j <i then Aj = 0. 

The first condition ensures that the sequence corresponds to a valid transition 
sequence in A, and the other two that the sequence accepts the word w = 
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a% • ■ ■ a n . Conditions 1 and 2 determine dependencies between the choices of left 
and right components in £iS. Let us attach to w dependency pointers as follows: 
attach a pointer of type 1 (dependency right-to-left) from each a\ to its next 
occurrence in w, say a,; from each a^+i attach a type 2 pointer (dependency 
left-to-right) to a,;. Now note that, as there is no cycle in w which alternates 
between type 1 and type 2 pointers, it is always possible to produce a valid 
sequence t\, ■ ■ ■ ,£ n - 

We now show the general result. We assume automata with their registers 
initially empty - the general case can be captured by first applying a construction 
like A fix w of Lemma [TT] (the lemma introduces new registers for storing the 
initial names, but we can as well use new histories for the same purpose). The 
proof is presented in Appendix [Bj 

Proposition 26. For each (n,m) -non-reset HRA A with initially empty regis- 
ters there is an (n+3m,0) -non-reset HRA A' such that £(A) — £{A'). 

5.2 Unary HRAs 

Our second restriction concerns allowing resets but bounding the number of 
histories to just 1. Thus, these automata are closer to the spirit of FRAs and, in 
fact, extend them by rounding up their history capabilities. We show that these 
automata require polynomial space complexity for emptiness and retain all their 
closure properties apart from intersection. The latter is witnessed by failing to 
recognise £2 from the Introduction. We can see that extending this example to 
multiple interleavings we can show that intersection is in general incompatible 
with bounding the number of histories. 

Definition 27. A (l,n)-HRA is called a unary HRA of n registers. 

In other words, unary HRAs are extensions of FRAs where names can be 
selectively inserted or removed from histories and, additionally, histories can be 
reset. These capabilities give us in fact a strict extension. 

Example 28. The automata used in Example [3] for £\ ans £3 were unary HRAs. 
Note that neither of these languages is FRA-recognisable. On the other hand, 
the language £2 is not recognisable by unary HRAs. 
For suppose £2 = £{A) for some unary HRA A of n registers and let 

w = a\bi ■ ■ ■ a k b k biai ■ ■ ■ b k a k 

for k = n+1 and some pairwise distinct names m, b%, ■ ■ ■ , a kl b k . As w £ £2, there 
is a path, say p, in A which accepts w. We divide p as P1P2 with P2 accepting the 
second half of w. Let p — p\f>2 be the corresponding configuration path and let 
(<?', H') be the first configuration in §2. We set S = {ai, b\, ■ ■ ■ , a k , b k } \ {a | a G 
H'(i) A i > 1} and do a case analysis on the labels of the form (X,X r ) which 
appear in P2 and accept names from S. Since names in S do not appear in any 
H'(i), for i > 0, it must be that each such X is either {1} or 0. We have the 
following cases. 
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— There are two such labels, say ({1}, A^) and ({1},X,), accepting names <Zj 
and bj respectively. But this would imply that A also accepts w' , where w' 
is w with these occurrences of a, and bj swapped, contradicting C(A) = £2 
(as w' ^ £ 2 ). 

— There are two such labels, say (0,JQ) and ($,Xj), accepting names <Zj and 
bj respectively. In order for A not to accept w' [w 1 as above), it is necessary 
that a reset transition with label Y 3 1 occurs between the two transitions. 
Suppose i < j. Then, since k > n, there is a name ay which does not appear 
in any place after clearing Y. Thus, (0,Xj) can accept ay and complete the 
path p by accepting a word w' ^ £2. Dually if j < i. 

— Each en G S is accepted by a label ({1},X'), and each & 3 G S by a label 
(0, X'). Let cti £ 5 be the last such accepted in p2- This means that the rest 
of the path has length at most 2n. Therefore, since k > n, there is a bj G S 
accepted inp2 before a^. Let ((?, H) be the configuration just before accepting 
bj. In order for A not to accept any at that point, it must be that all 
ait G S appear in H . Since \S\ > n + 1, there exists aj' G (1) Pi S 1 such that 
a,i> 7^ a.;. But then, the transition accepting can accept instead and 
lead to acceptance of a word w' g" £2 ■ 

We therefore reach a contradiction in every case. 

Closure properties The closure constructions of Section [3] readily apply to unary 
HRAs, with one exception: intersection. For the latter, we simply observe that 
£2 = £{Ai) fl £(^2), where Ai and A2 are the following unary (l,0)-HRAs, 
with empty initial assignments. 

0,1 0,0/1,1 




We can see that their corresponding languages are: 

C(Ai) = {aia[ ■ ■ ■ a n a' n G M* \ a% ■ ■ ■ a n G £ } 
£{A2) = {aia[ ■ ■ ■ a n a' n G M* \ a[ ■ ■ ■ a' n G £0} 

On the other hand, unary HRAs are not closed under complementation as one 
can construct unary HRAs accepting £(.4i) and £(^2), and then take their 
union to obtain a unary HRA for £2. 

Emptiness In the case of just one history, the results on TR-VASS reachabil- 
ity [27110] we used in Section 2] provide rather rough bounds. It is therefore use- 
ful to do a direct analysis. We examine control-state reachability for R-VASSs 
of 1 dimension. Note that these machines can be seen as close relatives to sev- 
eral other formalisms, like one-counter automata or pushdown automata on a 
one-letter alphabet. To the best of our knowledge, though, there has been no di- 
rect attack of state reachability for R-VASSs of 1 dimension. Our analysis below 
(proof in Appendix [B]) yields square minimal-path length. 
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Lemma 29. Control-state reachability for R-VASSs of dimension 1 can be de- 
cided in SPACE(log 2 A). 

We can now proceed with our main result for unary HRAs. Each such au- 
tomaton A will be reduced to an R-VASS A' with one counter, following the 
method presented in Appendix [A"l 

Proposition 30. Emptiness of unary HRAs can be decided in SPACE((Alog A) 2 ). 

Proof. Let A = (Q, qo, H , 5, F) be a unary HRA of n registers and let N — \\A\\. 
Following the construction from Appendix [A] we obtain a simulating R-VASS 
A' = (Q',5') with 1 counter such that C(A) ^ iff there is (q,(f>) with q e F 
such that (A', (go, £(Hq)), \H (1)\, (q, </>)) € Reach. By Lemma [2^1 the latter can 
be decided in squared logarithmic space. Note that this does not require actually 
constructing A': we can apply the algorithm of Lemma [2^1 on the fly, using only 
the space required for running it. Moreover, we can run each instance (for differ- 
ent (q, </>)'s) in the same space. Now, since there is only one history, the induced 
size of A' is relatively smaller. In particular, setting M = |i?(l,n)|, we have 
logM < n + nlogn + 1 < A -log A so the size of (A', (q ,S{H )), |-f?o(l)|, (?,</>)) 
is: 

N' = \S'\- (2 log |Q' |+2) + \\(q ,H ,q,<j))\\ 
<\S\- 2M • (21og(|Q| • M ■ 2) + 2) + \\{q 0) H 0> q)\\ + logM 

and hence N' < 2 Ar io s JV • A 2 • log N + N ■ log A. Thus, by Lemma [2"^ we can 
decide emptiness of A in Space((A log A) 2 ). □ 

6 Connections with existing formalisms 

We have already seen that HRAs strictly extend FRAs. In this section we shall 
draw connections between HRAs and an automata model over infinite alphabets 
in the limits of decidability, called Data Automata (DA), introduced in [5] in 
the context of XML database theory and model checking. DAs operate on data 
words, that is, over finite sequences of elements from S x J\f, where iS is a finite 
set of data tags and M incarnates an infinite set of data values (but we shall 
call them names). A DA operates in two stages which involve a transducer 
automaton and a finite-state automaton respectively. Both automata operate on 
the tag projection of the input word, with the second-stage automaton focussing 
on data tags accompanied by the same data value. 

For the rest of our discussion we shall abuse data words and treat them 
simply as strings of names, neglecting data tags. This is innocuous since there are 
straightforward translations between the two settings H An equivalent formalism 
to DAs which is closer to our framework is the following [5] . 

8 A string of names is the same as a data word over a singleton set of data tags; while 
data tags can be simulated by names in registers of the initial configuration which 
do not get moved nor copied during the computation. 
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Definition 31. A Class Memory Automaton (CMA) is a tuple A = (Q, qo, (j>o, 8, Fx, F2) 
where Q is a finite set of states, qo £ Q is initial, Fx C F2 C Q are sets of final 
states and the transition relation is of type 8 : Q x (QU{J-}) — > V{ff). Moreover, 
4>o is an initial class memory function, that is, a function ef> : Af QU{J-} with 
finite domain ({a \ 0(a) 7^ _L} is finite). 

The semantics of a CMA A like the above is given as follows. Configurations 
of A are pairs of the form (q, 0), where q £ Q and a class memory function. The 
configuration graph of A is constructed by setting (q, 0) (q' , 0') just if there 
is (q, 0(a), q') G 8 and 0' = <f>[a q']. The initial configuration is (qo, fa), while a 
configuration (q, 0) is accepting just if q 6 Fx and, for all a GjV, 0(a) e F 2 U{_L}. 

Thus, CMAs resemble HRAs in that they store input names in "histories", 
only that histories are identified with states: for each state q there is a corre- 
sponding history q (note notation overloading), and a transition which accepts 
a name a and leads to a state q must store a in the history q. Moreover, each 
name appears in at most one history (hence the type of 0) and, moreover, the 
finality conditions for configurations allow us to impose that all names appear in 
specific histories, if they appear in any. For example, here is a CMA (left below, 
with Fx — F 2 = {qo}) which recognises the language £4. 

0,1 

'/i 1,2 ' 0,1 

Each name is put in history qi when seen for the first time, and to qo when 
seen for the second time. The automaton accepts if all its names are in qo. 
This latter condition is what makes the essential difference to HRAs, namely the 
capability to check where the names reside for acceptance. For example, the HRA 
on the right above would accept the same language were we able to impose the 
condition that accepting configurations (q,H) satisfy a <E H@{2} for all names 

U, //:.')• 

The above example proves that HRAs cannot express the same languages as 
CMAs. Conversely, as shown in Proposition 7.2], the fact that CMAs lack 
resets does not allow them to express languages like, for example, £1 = (£ Qo )* 
where: 

£-a = i aw € A) I w € J\f* A a = ao} 

In the latter sections of [5] several extensions of CMAs are considered, one of 
which does involve resets. However, the resets considered there do not seem 
directly comparable to the reset capability of HRAs. 

On the other hand, a direct comparison can be made with non-reset HRAs. 
We already saw in Proposition l2"ol that . in the latter formalism, histories can be 
used for simulating register behaviour. In the absence of registers, CMAs differ 
from non-reset HRAs solely in their constraint of relating histories to states (and 
their termination behaviour, which is more expressive). As the latter can be easily 
counterbalanced by obfuscating the set of states, we obtain the following. 
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Proposition 32. For each non-reset HRA A there is a CMA A 1 such that 
C{A) = C{A'). 



7 Further directions 

We see several further directions of this work. A first direction is examining the 
decidability of bisimilarity. Although it is known that bisimilarity is undecidable 
for Petri nets |14j , the version which seems of relevance towards an undecidability 
argument for HRA-bisimilarity is that of visibly counter automata with labels, 
i.e. automata which accept labels at each transition, and the action of each tran- 
sition is determined by the accepted label. The latter problem is not known to be 
decidable. On the other hand, it seems reasonable to consider further extensions 
of HRAs with additional expressiveness added by constrained tests for zero, for 
example as in [11] . Finally, an avenue we would like to pursue is the application 
of automata with histories in runtime verification, in the spirit of |13j . Although 
the complexity results derived in this paper may seem discouraging at first, they 
are based on quite specific representations of hard problems. In practice, we ex- 
pect programs to yield automata of simpler complexities. Experience with tools 
based on coverability of TR-VASSs, like e.g. BFC [16], positively testify in that 
respect. 

A Reasoning about emptiness symbolically 

In this section we describe a method for reducing emptiness for HRAs to control- 
state reachability for TR-VASSs. For convenience, we shall consider a specific 
subclass of HRAs which encompasses the weak HRAs we examine in Section [SJ 
and for which the corresponding TR-VASSs are just R-VASSs. More specifically, 
we examine HRAs A = (Q,qo, Hq, 5, F) such that: 



We can see that in the above machines it is not possible to virtually transfer 
names between histories. Therefore, all possible transfers are additions of single 
names, or literal resets. 

Before we proceed with our analysis, let us fix the way we compute the size 
of our machines. For a set X, we write \X\ for its cardinality. For a structure 
X, we write ||A|| for its size. We assume that in general we need log(A:) space to 
encode any i from a set [k] . 

HRA Let A — (Q,qo,H ,S,F) be an (m, n)-HRA. We represent A by encoding 
5, goi Hq and F, where S is encoded as an array of tuples of the form (g, £, q') with 
£ 6 P([m+n}) 2 UV{[m+n}). We have \\5\\ = \S\ ■ (21og \Q\ + log(2 2 ( m+n ) + 2 m +™)) 




x 



[m] C X 



and so: 



\\A\\ = 11511 + 11(90,^0)11 + 11^11 

= | ( 5|-(21og|Q|+log(2 2 ( m +»)+2™+")) + ||( 9 o, i*o) || + ll^l 
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where ||F|| = |F| • log |Q|. A rough lower bound of the above is: 

M|| > 2|<f| • log \Q\ + 2\S\ ■ (m+n) + \\(q , H )\\ + \\F\\ 

R- VASS Let A = (Q, S) be an R-VASS of m dimensions. Encoding 5 as an array 
with entries of the form (q,£, q'), where I G { — 1, 0, l} m U [to], we have that the 
size of A is: 

M||H|5|| = H-(21og|Q|+log(3 m +m)) 
The size ||(*4, (/o, *o, 9f)|| of an input to state-reachability is: 

\S\ ■ (21og|Q| +log(3 m +m)) + ||(«,,i )|| + || 9 f|| 

Skeletons Checking language emptiness for a given HRA boils down to determin- 
ing the existence of a symbolic accepting path, i.e. a sequence of (5-steps from the 
initial state to some final state, which is also realisable by the HRA, i.e. it leads to 
a corresponding configuration path. Finding symbolic paths from initial to final 
states is easy: one just needs to decide emptiness for the finite-state automaton 
underlying the HRA in examination. On the other hand, resolving whether a 

x x f 

path is realisable is more demanding: in order for a transition q — > q' to be 
realisable, it is necessary that the automaton be at a configuration H such that 
there exists a name appearing precisely in places X; put otherwise, |77@A| > 0. 

We address the above by constructing counter machines which operate sym- 
bolically and carry along during computation (inside their states and counters) 
the minimal amount of information necessary for resolving whether a transition 
of the modelled HRA can be taken. This information corresponds to a symbolic 
encoding of actual assignments. For each assignment H, it consists of: 

(i) A partition of the set of registers according to whether they contain the same 
name in iJ, and a function assigning to each history those registers whose 
contents appear in that history. 

(ii) For each set of histories A, a counter which stores the number of names 
which appear exactly in X. 

We call part (i) the skeleton of the assignment, and part (ii) its counters. Con- 
sider, for example, the (1,4)-HRA assignments: 

H t = {(1, {6}), (2, {a}), (3, 0), (4, {6}), (5, {a})} 
H 2 = {(1, {a, b, c}), (2, {d}), (3, 0), (4, {a}), (5, {d})} 

Their skeletons coincide as, in both assignments: 

— the first and fourth registers (places 2 and 5) contain the same name, the 
third register (place 4) contains a different one, and the second register (place 
3) is empty; 

— the history (place 1) contains the name of the third register, and no other 
names from the registers. 
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On the other hand, their counters differ: the former leads to a counter value 
(no names appearing only in the history), while the latter leads to 2. 

Formally, for each (m, n) we set S(m,n) to be the set of all functions <p : 
[m+rt] — » 7 , ([n]), such that: 

— For all i > m, \4>(i)\ < 1 and, moreover, the values for <f>(i) are picked in 
the following sequential manner: if (f>(i) = {j} then either <j)(i') = {j} for 
some m < i' < i, or j is the least element of [n] which has not appeared in 
4>{m+l),--- ,4>(i-l). 

— ForalH<m, <j>(i) C [j v>m <f>(i'). 

We call elements of S(m, n) skeletons. For each skeleton cf>, its restriction to 
indices greater than m represents a partition of the n registers: registers i and j 
are in the same part if (f>(m+i) = (j)(m+j) ^ 0; register i is empty if <f>{m+i) = 0. 
On the other hand, for each i < m, <p(i) contains the index ip(m+j) just if 
the name of the j-th register appears in the i-th history. For example, both 
configurations in (TTJ) have the skeleton ({2},{1},0, {2},{1}). 

Note that, because of the canonical selection of indices for skeleton values, 
each assignment H has a unique skeleton, which we denote by S{H). Moreover, 

\S(m,n)\ < 2 mn ■ (n+1!) < 2 rnn+nl ° sn+1 (2) 

which is slightly better than the 2™( m+ ") we would have obtained had we taken 
skeletons to be all functions in [m+n] — > ^([n]). Let us now describe how do 
we update skeletons so that they mimic assignment updates. For each 4> and 
X C [m+n], we set <fi@X = C\ ieX <j>(i) \ Ui^x <M*)- I n the specific case of X = 
we slightly abuse this and set 0@0 = {0}. Thus, the @ operator mimics the @ 
operator for assignments: if <p@X = {j} and <p — E{H), for some assignment 
H, then there is a name a such that H@X = {a}. In such a case, we write 
4>[j in X'] for E(H[a in X']), for any X 1 . Finally, for each <fi representing some 
H and X C [m+n] we write <j)[X M> 0] for E(H[X t-t 0]). This completes the 
definition of skeleton updates. 

Simulating R- VASSs We now proceed to the concrete construction of counter 
machines, in the form of R- VASSs, which simulate HRAs for emptiness. Suppose 
"4 = (Q, qo, Hq, 5, F) is an (m, n)-HRA and let X\, • • • , X m i be an enumeration 
of the non-empty subsets of [m] (which require each a counter for the symbolic 
representation of assignments), so m! — 2 m — 1. We construct a simulating 
R-VASS A' = (Q',S') with m' dimensions in which states are equipped with 

skeletons. At skeleton <fi, each q — -> q' G 6 shall be mapped to a sequence of 
transitions in A' , according to the following rules. 

— If X ^ and </)@X — then the sequence is void. 

— Otherwise, if X = Xj then the first transition is a decrement of the j-th 
counter. 

— If X' = Xi then the next transition is an increment of the i-th. counter. 
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- If X' <2 [ m ] then the next transition increments each counter i such that 
there is a set Y l with <f>@Yi ^ and X t = Y t \ (X' \[m}). This reconciles 
for the fact that the registers in X' will be overwritten and therefore their 
names transferred. 

On the other hand, at the same (f>, a transition q — > q' G 8 shall be mapped to 
a transition in A', according to the rules: 

- If [to] C X then the sequence is just a reset of all counters. 

- Otherwise, [to] n X = and, therefore, transitions increasing all counters 
according to the last point above will occur. 

In each case, the skeleton is updated according to X, X'. 

Formally, we set Q' = Q x S(m, n) x ({0} U [to']), where the last component 
is an index used to facilitate breaking each transition of 8 into potentially two 
transitions. We include in 8' the following transitions. For each (q, <f>, 0) G Q' and 

q — > q' G 8: 

- if (f>@X = {j} and X' = X u add (q, 4>, 0) ^ {q', </>', 0) where </>' = <j>\j in X']; 

- if (j)@X = {j} and X' <£ {X u --- ,X m ,}, add (q,<j>,0) -A (q',<t>',0) where 
4>' = (f)[j in X'] and vj = 1 for all j such that there is Yj with <j)@Yj ^ and 
Xj = Yj\ (X' \ [to]), and vj — otherwise; 

- if X = Xi and X' = Xj, add a sequence (q, <f>, 0) — ^ (q 1 , 4>' ,j) (q' , <j>' , 0) 
where <j>' = <f>[0 in X']; 

- if X = Xi and X' ^ {X\,--- ,X m >}, add a sequence (q, 4>, 0) > 

(q',(j)',Vi) (q',(f>',0) where 0' = (p[0 in X'] and = 1 for all j such 
that there is Yj with (j)@Yj ^ and Xj = Yj \ (X' \ [to]), and Vj = 
otherwise, and v' = 0[i i— > Vi]. 

Moreover, for each q — > q' G 8: 

- if [to] n X = then add (q, (f>, 0) (g, </>LY ^ 0], 0) where ^ = 1 for all j 
such that there is Yj with 0@Yj ^ and Xj = Yj \ (X' \ [to]), and vj = 
otherwise; 

- if [to] C X then add (q, (j), 0) -A (q, <p[X ^ 0], 0) where Xj = [to]. 

Finally, we set v = {(j, \H @Xj\) I j G K]}. 

Thus, .4' symbolically simulates the transition behaviour of A and updates 
at each transition its skeleton and counters in such a way that, for each config- 
uration (q,H) of A, A' is in the configuration (q,<p,0,v) with £{H) = 4> and 
\H@Xj \ = Vj for each j G [to']. We can therefore show the following. 

Lemma 33. For A, A' as above, C(A) ^ iff there is (q, (j)) G Q' with q G F 
such that (A', (qo, £(H )),v , (q, (j))) G Reach. 
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Let us now compare the size of each of the constructed reachability instances 
to that of the HRA we started from. Note first that in encoding Ho we need 
only encode its internal structure; the specific names appearing in it are of no 
importance (e.g. we can assume we have a canonical way to produce them). As 
the structure of H is precisely (£(Hq), vq), we have ||i?o|| = \\{£(Ho), ^o)||- 
Thus, the size N' of the instance (A', (qo,£(Ho)), Vq, (q, 0)) is: 

N' = \5'\ • (21og|Q'|+log(3 m +m')) + \\(q , H , q, 0)|| 
< \5\-2\E(m,n)\ • (21og(|Q|-|i:(TO,n)|-(m'+l))+log(3 m W)) 
+ 11(90, H ,q) || +log|Z'(m,n)| 

where we use the fact that to any transition in S correspond at most |JC(m,n)| 
transitions in 5' (one for each skeleton). Now, log \E(m, n)\ < mn + n logn + 1 < 
N 2 , where N = \\A\\. Hence, after rough simplifications, from the above we 
obtain N' < 2 n2+n ■ N + N 2 . 

B Deferred proofs 

Proof (Proof of Lemma Ml)) . We construct _4fixw = (Q' , q' Q , H^, S' , F 1 ) as follows. 
First, we insert/move all names of w to the new registers (places [m+n+1, m+n+fc]), 
i.e. we set H' Q (i) = H (i) \ {ai ■ ■ ■ au} for all i G [m+n], and H' {m+n+i) = {at} 
for each i £ [k]. The role of the new registers is to constantly store the names 
in w and act on the behalf of other places when the latter intend to use those 
names: during computation, whenever an ai is captured by a transition of the 
initial automaton A, in A fix w it will be instead simulated by a transition involv- 
ing the new registers. In order for the simulation to be accurate, we shall inject 
inside states information specifying the intended location of the a^s in the places 
of A. Thus, the states of the new automaton are pairs (q, /), where q £ Q and 
/ is a function recording, for each of the new registers, where would the name 
of the register appear in the original automaton A. That is, 

Q' = Q x {/ : [k] -> V([m+n}) \ Vj ± f. f(j) n f(j') C [m]} 

while q' = (q ,{(h{j I « 4 £ #o(j)}) I * G [k]}) and F' = {(qj) £ Q> \ q £ F}. 
Finally, 6' operates just like 6 albeit taking into account the f's of states to figure 
out the intended positions of the ajS and, at the same time, update the f's after 
each transition. We therefore include in §' precisely the following transitions. 

Below we write i° for m+n+i. For each (q, f) £ Q' and q — > q' £ 5, 

— add a transition (q, f) ^5 (q' , /); 

- if f(i) = X for some % then add (q, f) KKK} ) (q' , f) where /' = f[i ^ X'}; 

Moreover, for each q — > q' £ 5 include (q, /) — > (q' , f) where /' = {(j, f{j) \ 
X) | t £ [k]}. 

Following the above line of reasoning, we can show that the relation 

{((q, H), (q, f, H')) | V* £ [m+n]. H (*) = H'(i) U {a, \ i £ f(j)}} 
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with (q,H), (q,f,H r ) reachable configurations, is a bisimulation. □ 

Proof (LemmaWty. Let A — (Q, 6) be an R-VASS of 1 dimension. We first state 
two rather straightforward facts about A. 

Fact 1. A is up-monotonic: if (q, i) — » (q' , i') is a configuration path of A then, 
for each k > 0, there is a path (q, i+k) — » (q' , i") of the same length. 
Fact 2. A is down-monotonic: if (q, i) — * (q' , i') is a configuration path of A in 
which there are no reset edges and the counter never becomes less than fc, some 
k > 0, then there is a path (q, i—k) — » (q' , i") of the same length. 
Now, let (A, qo, io, Qf) be an instance for Reach and let p be a configuration path 
from (go, io) to (qp,iF), some If, such that p is of least length among all paths 
leading to some {qp,i). By Fact 1, we have that p is non-decreasing: if (q,i') 
appears after (q, i) in p and i' < i then we can circumvent the entire subpath 
between (q, i) and (q, i'). Now suppose (q, i+k) appears after (q, i) in p, some k > 
0. By Fact 2 and minimality of p, there must be a configuration (q',k— 1) after 
(q,i+k) in p such that there are no reset edges between (q,i+k) and {q\k— 1). 
Let p' be a subpath of p of the form (q, i+k), (q" , i+k— I), • • • , (q' , fc— l)o Since 
p' is non-decreasing, all its states are different and hence, as p' has length i+2, 
we have i+2 < \Q\, i.e. i < \Q\— 2. This gives us a bound on the counter value 
of any state that can be repeated in p. Thus, each state can appear in p at most 
\Q\ times, with counter values 0, 1, 2, 3, • • • , \Q\—2,j (last occurrence can have 
any value). This implies that the length of p is at most \Q\ 2 and that in p the 
counter does not exceed the value iq + \Q\ 2 — 1. 

We can therefore check (A, qo, io, Qf) S Reach as follows. Note first that, by 
Facts 1,2 and the fact that the length of minimal reaching path is at most \Q\ 2 , 
if io > \Q\ 2 — 1 then it suffices to check (^4, qo, \Q\ 2 — 1, <?f) £ Reach. Thus, 
we need only check (A, qo, No, ?f) G Reach with iVo = min(i , |Q| 2 — 1). We 
do this by non-detcrministically computing |Q| 2 consecutive configurations and 
checking whether any of them is final. We only store the current configuration 
and a counter bounded by \Q\ 2 - Thus, we require space log \Q\ + log(-/V -|-|(5| 2 — 1) 
for the configuration and log \ Q\ 2 for the counter so, in total, less than log \ Q\ + 
log(2|Q| 2 )+log|Q| 2 . Since N = \\ (A, q , N , q F ) \\ > |Q|-log|Q|, we require space 
O(logiV). By Savitch's theorem, we get SPACE(log 2 N). □ 

Proof (Proposition \2b}) . For simplicity, and in order to make our argument 
cleaner, the proof we present here assumes that names are kept in at most one 
register at a time, and in particular transitions have singletons for labels as far as 
registers are concerned. The same technique, though, applies to the general case 
modulo some extra technical nuances. For the same reasons, we shall assume 
n = 0. We shall simulate each register of A by 3 histories in A': each register 
i in A will have counterparts i r ,ib,i y in .A'o Whenever a name a is assigned 
to register i (in A), in A' it is assigned to one of i r ,ib,i y . More precisely, it is 
assigned to i r if the next time the name appears in the computation of A is by 

9 Here by subpath we mean a sequence of nodes from p in the same order as in p. 
10 The indices b and y stand for black and yellow, in accordance to [S], and r stands 
for read. 
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reading register i. Otherwise, the next occurrence of a can only happen after 
the contents of register i are rewritten, and a is assigned again to some register 
j as a locally fresh name; in the latter case, the name will be stored in either 
of ib,iy The reason we need two histories for the latter case is so that we can 
ensure that A' does not select a locally non-fresh name when it is expected to 
accept instead a locally fresh one. This can already be seen in Example 30, and 
will become clearer below. 

Let A = (Q, q , H a , S, F) with H (i) = for all ie[m]. We set A' = (Q', q' Q , H' , 5', 
a non- reset HRA of type (3m, 0), where 

Q' = Qx ([m] ^{0,r,b,y}), 

q'o = (*>, {(j, 0) | j € [3m]}), H' = {(j, 0) | j e [3m]} and F' = {(q, f) G Q' \ q e 
F}. The extra component / in each state serves the purpose of recording, at each 
point during the computation, where does the name of register i of A reside in 
A': f(i) = r (=6, y) means it is in history i r (ib, i y resp.). If register i is empty 
then we set f(i) = 0. Finally, we include in 5' precisely the following transitions. 

— For each q —4 q' G S, add (q, f) (q',f[i 0]\j i-> <f>]) where f(i) = r, 
(j) 7^ and j ^ i => f(j) ^ r. 

i i 

— For each q — > q G (5, add (q, f) (gr , /[« i-> 0]) where /(i) = r. 

— For each g —4 g' G 5, add (g, f) (g', /[j i-> 0]) where /(j) 7^ r and 

^e{6,»}\{/(i)}. 

— For each q —I g' G 5, add (g, /) (g' ; /) where </»' G {6, y} \ {/(»)}. 

— For each g ^4 g' G (5, add (g, /) ^1 (g', /[j i-> 0]) where /(j) ^ r. 

— For each g — — > q' G 5, add (g, /) — — > (g', /). 

Note that the conditions on / and outgoing labels always ensure that histories 
i r contain at most one name. We claim that C(A) = C(A'). Let first w G C(A') 

have an accepting transition path p in A' with edges (g^, fk) X -^-> h (g fe+1 , / fc+1 ). 
Reading the definition of S' backwards, this yields an accepting transition path 

p' in A with edges qt -^-V" gfe+i where 

— X' k = i if Xk = i r , and = otherwise; 

— Y" fe ' = j if Y" fe G {ir,ife,ij/}, and Y k = otherwise. 

To see that p' accepts w, note that, for each configuration (qk,fk, Hk), 

— if Xk = i r then Hk{i r ) = {a} and fk(i) — r so a is the last name stored in 
either of i r , i y ; 

— if Xk = ib then fk(i) ^ b and therefore the last name a stored in either of 
i r , ib, i y is not stored in %, hence a is locally fresh; similarly if Xk = y; 

— if Xk = then the accepted name is globally fresh. 

Hence, noting also that by design the last name stored in either of i r7 ib 7 i y (in 
the run of p) is the same as the name stored in register i (in p'), we have that 
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w e C(A'). 

Conversely, let w = a\ ■ ■ ■ a at G £(-4) have an accepting transition path p with 
edges qk X -i-> k q k+1 (fc = 0, • • ■ , TV— 1). We construct an accepting path p' in A' 

with edges {qk, fk) Jv ^ k (<?fe+i, /fc+i) as follows. We have that / = {(i, 0) | i e 
[to]}. Moreover: 

(a) For each position fc such that in all previous appearances of a k in s, say as 
a-k = CLk' with k' < k (if any), ay is not stored (i.e. Yfc = 0), we set Xk = 0. 

(b) For each position fc such that Yfc = i and the next appearance of a k in s is 
some a*/ with Xy = i, we set = z r . 

(c) For each position fc such that Yk = i and the next appearance of a k in s is 
some ay with = 0, we choose some Yk € {«6, %}■ 

The rest of the labels in p' and the form of the fk's is derived from the above 
according to the definition of 5' . To show that p' indeed accepts w we need 
to show that our above labelling is correct and, in particular, that there is a 
valid choice of labels from {ib,i y } in the step (c) above. By a valid choice we 
mean one such that if, for instance, Yk = % then fy (i) ^ b and therefore Xy 
can correctly pick a*;. By definition, the value of fy{i) is determined by the 
rightmost position I, with k < I < k', which assigns a name in either of i r , i y 
(since ak becomes locally fresh from state qk to qy , such an I always exists). Our 
constraint, therefore, (in this case) is that Yi ^ b. In particular, if position / 
falls under case (c) above, we need to choose Yj — y. Thus, it suffices to colour 
all our positions which fall under case (c) with colours from b, y, such that no 
inter-related qk and qi have the same colour. We claim that such a colouring is 
always possible. Indeed, we can build a graph Q as follows. The nodes of Q are 
the positions which fall under case (c), arranged on a line in ascending order, 
from left to right. Now, for each inter-related positions k and I as above, we add 
a directed edge from node k to node I. Then, a valid colouring of our positions 
is possible iff Q is 2-colourable, i.e. if it contains no cycles. Now note that each 
node in Q has at most one outgoing edge, and all edges go from left to right 
(above, k < I). Hence, Q is 2-colourable and we can therefore build a valid path 
p' in A' accepting w. □ 
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